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© Databaseless security system. 

© An improved security system, including a porta- 
ble smart card (500) and a host computer (600). 
eliminates the need for the computer to store individ- 
ual personal identification (ID) numbers for each user 
seeking access to the computer. Instead, the com- 
puter stores a first encryption algorithm Ei used in 
converting a particular identification number (ID)n 
into a secret code Sn for that particular user. Sn also 
exists within the memory of the smart card having 
been loaded into its memory at the time of issue. A 
challenge number C is generated by the computer 
and transmitted to the smart card. Within the smart 
card and the computer, microprocessors respond to 
the challenge number C, the secret code Sn, and a 
second encryption algorithm E2 in order to generate 
response numbers Rp and R'n respectively. There- 
after. Rn is transmitted to the computer where it is 
compared with R'n. A favorable comparison is nec- 
essary for gaining access to the computer. 
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DATABASELESS SECURITY SYSTEM 



Technical Field 



The present invention relates to a system for 
granting access to a secure facility, and more 
particularly to an authentication procedure. 

Background of the Invention 



A challenge for those who provide secure facili- 
ties is to exclude all unauthorized persons seeking 
entry while simultaneously making authentication 
procedures as convenient as possible for both au- 
thorized persons and facility administrators. Such 
goals are frequently incompatible with each other. 

The use of a password is perhaps the simplest 
and least expensive technique for providing access 
security. Additionally, passwords are relatively easy 
to change. However, there are problems with pass- 
words; when they are fixed for long periods of time 
the chances of guessing them are improved; and 
v/hen they are changed too frequently, they are 
forgotten by the rightful users. Further, when pass- 
words are transmitted across an interface, they can 
be intercepted by anyone with the proper monitor- 
ing equipment. 

In one known system, a common secret code 
is stored within each of two devices (key and lock). 
The secret codes are logically combined with a 
random number, available to each device, and the 
resulting numbers are compared with each other 
for identity. This technique is generally employed 
by various data communication systems (see e.g. 
"Locking Up System Security" - Electronics Week 
February 18, 1985 regarding Intel Corporation's 
27916 KEPROM™ Keyed Access EPROM). Ad- 
vantageously, the secret code itself needs never be 
transmitted so that an electronic intruder, monitor- 
ing interface signals, sees only the random data 
(challenge) and the modified random data 
(response) which are insufficient to teach the cor- 
rect response to subsequent challenges. Unfortu- 
nately, this technique stores the same secret code 
in all keys which precludes selective revocation of 
lost or stolen keys. 

One v/ay to prevent tampering with private 
information in electronic systems is the use of 
cryptosystems (i.e., methods for encrypting, or 
transforming, information so that it is unintelligible 
and, therefore, useless to those who are not meant 
to have access to it). Ideally, the transformation of 
the information is so complicated that it is beyond 
the economic means of an eavesdropper to reverse 
the process. The eavesdropper is therefore not 
inclined to become an intruder who not only would 



MSDOCID: <EP 042746SA2 I > 



compromise the confidential nature of the stored 
information, but also might engage in forgery, van- 
dalism and theft. A popular technique, known as 
public-key cryptography, relies on the use of two 
5 keys - one to encode the information and another 
to decode it. These keys are related in the sense 
that they serve to specify inverse transformations; 
however, it is computationally infeasible to derive 
one key from the other. That being the case, one of 

70 the keys can be made public for improved conve- 
nience without compromising the security of such a 
system. Applying public-key cryptography to the 
challenge of excluding unauthorized persons seek- 
ing entry to a secure facility, the party seeking 

75 entry would use his private key to encrypt 
(authenticate) a message. The party receiving the 
encrypted message would use the public key of 
the transmitter to decrypt the incoming message in 
order to transform it to its original text. A discus- 

20 sion of such systems is contained in the August. 
1979 issue of Scientific American in an article by 
Martin E. Hellman entitled "The Mathematics of 
Public-Key Cryptography." An example of a public- 
key system is disclosed in U.S. Patent 4,453,074 

25 issued to S. B. Weinstein for a "Protection System 
for Intelligent Cards." Unfortunately, in public-key 
systems, the party receiving the encrypted mes- 
sage must maintain a database that contains the 
public keys of all parties having authorization to 

30 enter the secure facility. 

One particularly promising system involves the 
use of a password along with a smart card that 
exchanges data with an authentication device dur- 
ing an authentication procedure. It is noted that the 

35 smart card contains a processor and a memory: it 
is portable and frequently has the shape of a 
conventional credit card. Security is improved by 
requiring the holder of the smart card to remember 
a password. This password can either be sent to 

40 the smart card enabling it to exchange data with 
the authentication device, or the password can be 
sent directly to the authentication device itself. In 
either case, two conditions must now be satisfied: 
something in the user's head and something in the 

45 user's hand. 

A known system stores an identification (ID) 
number within each smart card which is transmitted 
to the authentication device in order commence the 
authentication procedure. The authentication device 

50 scrutinizes the ID number to determine whether it 
corresponds to a presently valid ID number and 
then commences the authentication procedure only 
when the result is affirmative. Such a system is 
disclosed in U.S. Patent 4,471,216. While personal 
identification numbers additionally offer the ability 

2 
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to improve flexibility (e.g., expiration date may be 
built into the ID itself), the storage of each individ- 
ual ID number in the authentication device requires 
significant memory space. For example, storing 
25,000 user keys, each 8 bytes long, requires 200K 
bytes of memory. Further, each time a new smart 
card is issued, the memory of the authentication 
device must be updated to recognize it. This is 
particularly impractical in a distributed system 
where, for example, the authentication device is 
used in connection with room or building access. 
Even when the authentication device comprises a 
host computer that is easily updated, it is un- 
desirable from a security standpoint to store all ID 
numbers therein because they might be compro- 
mised if someone found a way to break into the 
computer. 



Summary of the Invention 

A security system includes a portable object, 
such as a smart card, and an authentication device 
for electrically interacting with the portable object 
to regulate access to a secure facility. An iden- 
tification number (ID)n is presented to the authen- 
tication device which uses an encryption algorithm, 
El , to convert it into a secret code Sn- The authen- 
tication device also generates a challenge number, 
C, which is transmitted to the portable object. 
Stored within the portable object is secret code Sn 
and encryption algorithm E2 which are used to- 
gether with the challenge number C to create a 
response signal Rn- Stored within the authentication 
device is encryption algorithm E2, which is used 
together with secret code Sn and the challenge 
number C to create response signal R„. A favorable 
comparison between Rn and R n is necessary to 
gain access to the secure facility. 

In an illustrative embodiment of the invention, 
El and Ez are identical processes that use different 
master strings (secret keys) to transform a first 
binary number into a second binary number. 
Knowledge of the encryption algorithm, however, is 
insufficient for an intruder to determine the master 
string. The present invention illustratively uses the 
Data Encryption Standard (DES) in the implementa- 
tion of El and E2. 

In a preferred embodiment of the invention, 
challenge number C is a 64-bit random number. 
Such numbers are generally non-repeating and en- 
hance security by virtue of their non-predictable 
character. 

The present invention advantageously regu- 
lates access to any one of a number of protected 
resources including information, cash, and physical 
entry into a facility without requiring the transmis- 
sion of secret information across an interface. Im- 



portantly, the present invention eliminates the need 
to store and administer identification information 
regarding each user entitled to access to the pro- 
tected resources. 

5 It is a feature of the present invention that 

multiple secret codes are easily stored within a 
smart card, each providing access to a different 
facility, or backup access to the same facility in the 
event of a security breach (e.g., the master string 

70 becomes knov/n). In the situation that security is 
breached, new secret codes can be derived at the 
authentication device by merely using a new mas- 
ter string. Such new secret codes would have al- 
ready been stored within each smart card at the 

75 time of issue as a precautionary measure. Thus, 
should security become compromised, new smart 
cards do not need to be issued. 

These and other features of the present inven- 
tion will be more fully understood when reference 

20 is made to the detailed description and associated 
drawing. 



25 



Brief Description of the Drawing 



FIG. 1 is a flow diagram illustrating the various 
steps performed in practicing the invention; 
FIG. 2 is a flow diagram of the enciphering 
computation of the Data Encryption Standard; 
so FIG. 3 is a block diagram that illustrates the 
calculation of f(R,K) used in the Data Encryption 
Standard; 

FIG. 4 discloses selection table Si used in the 
Data Encryption Standard; 
35 FIG. 5 is a block diagram representation of the 
major functional components of a smart card 
system and their general interconnection with 
each other; 

FIG. 6 illustrates use of the present invention in 
40 a computer access security system in accor- 
dance with the invention; 

FIG. 7 illustrates use of the present invention in 
a premises access security system in accor- 
dance with the invention; 
45 FIG. 8 discloses the functional components of a 
door lock such as used in connection with FIG. 
7; 

FIG. 9 illustrates the structure of a master string 
used in the encryption process; 
50 FIG. 10 illustrates the structure of a challenge 
signal including information regarding the selec- 
tion of the secret code to be used during the 
encryption process; and 

FIG. 11 discloses a pseudo-random number 
55 generator suitable for use as a challenge num- 
ber generator. 

Detailed Description 
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GENERAL 



Referring to FIG. 1, there is disclosed a dia- 
gram which illustratss the salient features of the 
invention in inodified flow chart form. The mechani- 
cal analog of a key and a lock is useful in connec- 
tion with FIG. 1 because smart card 500 functions 
as a key and authentication device 700 functions 
as a lock. Since the authentication process requires 
activity on the part of both the smart card and the 
authentication device, the activity associated with 
each part is segregated to assist the reader in 
understanding the invention. Although not requned 
in the practice of the invention, security is en- 
hanced by requiring the holder of the smart card to 
enter a password into the smart card, enabling it to 
commence the authentication process by transmit- 
ting a personal identification number (ID)n to au- 
thentication device 700. Alternatively, the holder of 
the smart card could directly transmit (ID),, to the 
authentication device 700. In either case, the fol- 
lowing steps describe the authentication process: 
(1) In response to the receipt of a signal such as 
(ID)n, box 740 recognizes the signal and initiates 
the generation of a challenge number. Additionally, 
secret code Sn is created (box 71 0) using encryp- 
tion algorithm Ei (box 730) and the proffered per- 
sonal identification number (ID)^. (2) Challenge 
number C is generated (box 750), transmitted to 
smart card 500, and used internally (box 720). Note 
that a valid ID number is not required to initiate the 
generation of a challenge number - a feature that 
helps preserve confidentiality of the ID number. (3) 
Both the smart card 500 and the authentication 
device 700 (box 563 and box 720) calculate a 
response (Rn and R „ respectively) to the challenge 
number. Since secret code Sn and encryption al- 
gorithm E2 are contained in both the smart card 
and in the authentication device, the responses 
should be identical when compared (box 760). (4) 
Block 770 further enhances security, with minimum 
inconvenience to the system administrator, by test- 
ing whether the proffered (ID)n corresponds to a 
lost or stolen card. The list of such cards is pre- 
sumably small and is seldom updated. Once all of 
the above steps have been successfully complet- 
ed, access to the computer is granted, a door is 
opened, a credit transaction is validated, or cash is 
delivered, etc. 

The various boxes need not reside within the 
particular device as shown in FIG. 1. For example, 
in a number of applications, the challenge number 
generator can be located within the smart card 
while still preserving the benefits of the invention. 
Indeed, in the peer-to-peer authentication applica- 
tion described hereinafter, each smart card con- 
tains a challenge number generator, means for 
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comparing response numbers, and the Ei algo- 
rithm including a master string. Further, user inter- 
face 100 can be built into the smart card 500 or the 
authentication device 700, It is an important advan- 
5 tage that the list of valid ID numbers need not be 
stored within the authentication device. It is suffi- 
cient that only the encryption algorithm Ei, original- 
ly used to create Sn from {ID)n. needs to be stored. 
Stored within memory box 550 of smart card 

10 500 is the above-identified personal identification 
number (ID)n that is unique to that card. Also stored 
within box 550 are one or more secret codes Sn 
and encryption algorithm E2. 

Secret code Sr, comprises a plurality of binary 

15 digits stored in memory that are not accessible 
from outside the card. Further, Sn is written into 
memory at a time when the ID number is first 
assigned by the card issuer. Sn is linked to a 
particular personal identification number, designat- 

20 ed, (ID)n by the functional relationship Sn = Ei - 
(ID)n. What this means is that encryption algorithm 
Ei maps each unique personal identification num- 
ber into a unique secret code. As a practical mat- 
ter, a secret computer program transforms input 

25 signal (ID)n into output signal Sn. It is the use of 
this particular transformation that eliminates the 
need to store individual ID numbers. More will be 
said about this later. 

Encryption algorithm E2 is a computer program 

30 executed by a microprocessor. It is jointly respon- 
sive to secret code Sn and to input binary data 
signal C for generating an output binary data signal 
Rn. Computation of Rn Is indicated in box 563 
where C is the challenge number and Rn is the 

35 response. For improved security, C is a large non- 
repeating number so that an intruder making a 
large humber of observations of the challenge and 
response will never learn the manner by which they 
are related. So long as C and Sn are finite, how- 

40 ever, it is theoretically possible for the determined 
intruder to learn the correct response to all chal- 
lenges. Nevertheless, with a moderate length se- 
cret code, say 64 bits, there are approximately 18 
x 10^^ possible unique secret code combinations. 

45 Even with a computer aided lockpick that tried 10 
billion different combinations every second, it 
would take 57 years to examine all combinations. 
This period could be lengthened substantially if 
additional delay, say 1 second, was introduced 

50 between challenge and response. By way of exam- 
ple, and not limitation, C may be a random num- 
ber, pseudo-random number, or even a time clock 
(year: month: day: hour: seconds: tenths: etc.). 
Stored in box 770 are the ID numbers of lost 

55 and stolen cards as well as numbers that have 
expired or, for one reason or another, no longer 
have permission to access the facility. Advanta- 
geously, even though the authentication device 

4 
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"knows" at the outset that the proffered ID number 
is unacceptable, access to the facility is not denied 
until the entire process has been completed. Thus, 
only minimum information is given to potential in- 
truders. Storing a list of unacceptable numbers 
allows customization with minimum susceptibility to 
fraud. There is little or no incentive to increase the 
list of unacceptable ID numbers; while on the other 
hand, a great temptation exists to fraudulently in- 
crease the list of acceptable ID numbers - a temp- 
tation that the present invention eliminates. 

DATA ENCRYPTION STANDARD (DES) 



The purpose of any encryption algorithm is to 
convert confidential Information (data) into a form 
that renders it unreadable to all except those who 
know how to decode the message. One simple 
technique involves substituting one letter of the 
alphabet with another for each of the letters. Such 
encryptions, however, are relatively easy to de- 
crypt, even for the unsophisticated intmder. More 
complex techniques have arisen over the years to 
stay ahead of unsolicited decryption experts, and 
the art has progressed to the point that techniques 
exist that are so good that it no longer makes 
sense to try to unravel an encryption signal. One 
such technique that has gained wide acceptance is 
the Data Encryption Standard (DES) that is in- 
tended for implementation in special purpose elec- 
tronic devices. In 1977. the National Bureau of 
Standards (now NIST) issued DES as a Federal 
standard, and the National Security Agency has 
certified new products using the standard. While a 
relatively brief discussion of the application of DES 
to the invention is set forth below, a more com- 
prehensive treatment is set forth in the January 
15,1977 Federal Information Processing Standards 
Publication 46 (FIPS 46). entitled "Specifications 
for the Data Encryption Standard." 

DES is a private-key scheme in which both 
encrypting and decrypting keys are identical and 
secret. DES operates on data in blocks of 64-bits, 
sending it through 16 stages of the algorithm be- 
fore exiting as a 64-bit cipher text. Encryption 
relies heavily on proper management of keys - the 
strings of characters that must be input to the 
algorithms before encryption or decryption can 
take place. The present invention does not require 
decryption, but rather relies on a comparison be- 
tween two encrypted signals. Encryption algorithms 
El and E2 each use DES to achieve encryption; 
however, the data blocks and keys are obtained 
from different sources. After a brief explanaUon of 
DES is given, it will be applied to the present 
invention. 



A flow diagram that illustrates the sequential 
operations performed in the DES enciphering com- 
putation is shown in FIG. 2. Input box 201 com- 
prises a 64-bit ordered set (vector) of binary digits 
5 whose order is rearranged (permuted) according to 
a known pattern in an operation akin to shuffling 
cards. The permuted block of 64-bits is now split 
into two boxes 203 (U) and 204 (Ro), each com- 
prising 32-bits in an operation akin to cutting the 
70 cards. At this point, the card shuffling analogy fails 
because mathematical operations 205 (moduio-2 
addition) and 206 (cipher function f) are introduced 
along with key K. Values for Ki... Ku are selected 
in accordance with 16 different predetermined 
75 schedules whereby each Kp comprises an ordered 
set of 48-bits chosen from the 64-bit key. 

For completeness, the operation of cipher func- 
tion (f) is shown in FIG. 3 where the calculation f(R, 
K) is diagrammatically laid out. In this figure, E 
20 denotes a function which takes a block of 32-bits 
as input and yields a block of 48-bits as output. 
The E function is very similar to the initial permuta- 
tion of box 202, but now certain of the bits are 
used more than once. These blocks of 48 bits, 
25 designated 303 and 304 in FIG. 3, are combined 
by modulo-2 (exclusive or) addition in box 305. 

Selection functions S1.S2. Ss take a 6-bit input 

number and deliver a 4-blt output number in accor- 
dance with a predetermined selection table such as 
30 shown in FIG. 4 which discloses the Si, function. 
For example, if Si is the function defined in this 
table and B is a block of 6 bits, then Si(B) is 
determined as follows: The first and last bits of B 
represent, in base 2. a number in the range 0 to 3. 
35 Let that number be i. The middle 4 bits of B 
represent, in base 2. a number in the range 0 to 
15. Let that number be j. Look up in the table the 
number in the iUh row and j^th column. It is a 
number in the range 0 to 15 and is uniquely 
40 represented by a 4-bit block. That block is the 
output Si(B) of Si for the input B. Thus, for input 
011011 the row is 01 (i.e., row 1) and the column is 
determined by 11 01 (i.e., column 13). In row 1, 
column 13 the number 5 appears so that the output 
45 is 0101. Selection functions, Si, S2,... Ss appear in 
the Appendix of the above-mentioned publication 
FIPS 46. 

Referring once again to FIG. 3, the permutation 
function P is designated 306 and yields a 32-bit 
50 output (307) from a 32-bit input by permuting the 
bits of the input block in accordance with table P, 
also set forth in FIPS 46. 



ENCRYPTION ALGORITHMS Ei AND E2 



DES is now applied to encryption algorithm Ei 



5 
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which is used to convert (!□)„ into Sn- Note that 
when the smart card is issued, it comes equipped 
with Sn already stored in its memory. Reference is 
now made to FIG. 9 which illustrates the structure 
of the master string which comprises 640-bits of 
secret data used by the encryption algorithm Ei. 
The master string is interpreted as 10 separate 
characters (addressable by digits 0-9), each having 
64 bits of data. The ID number comprises a block 
of 6 digits, each assuming some value between 0 
and 9 inclusive. In the following example, encryp- 
tion algorithm Ei operates on (ID)n (illustratively set 
equal to 327438) in the manner indicated. The first 
operation requires that the third character of the 
master string be combined with the second char- 
acter of the master string in accordance with the 
DES enciphering computation. This operation is 
denoted 6{3,2) where 3 is treated as the data block 
and 2 is treated as the key. The operation per- 
formed is shown in FIG. 2 in which the 64-bit 
number corresponding to the third character of the 
master string is used as input 201. the 64-bit 
number corresponding to the second character of 
the master string is used as K, and output 210 is a 
64-bit number (designated "A") that will be used in 
a second operation. 

The second operation performed is similar to 
the first except that "A" is combined with the 
seventh character of the master string in accor- 
dance with the DES enciphering computation. This 
operation is denoted by d(A,7) where A is a 64-bit 
number used as input 201, and the 64-bit number 
corresponding to the seventh character of the mas- 
ter string is used as K. The operation performed is 
shown in FIG. 2 and output 210 is a 64-bit number 
(designated "B") that will be used in a third opera- 
tion. 

These operations continue until all of the digits 
of (ID)n are used. The last operation, d(D,8), results 
In a 64-bit number which is used as the secret 
code Sn- Accordingly, in this example, encryption 
algorithm Ei uses the digits of (!□)„ to index char- 
acters of the master string. The DES enciphering 
computation shuffles these secret keys in a known, 
but non-reversible, manner to generate Sn. 

DES is now applied to encryption algorithm E2 
which is used to convert Sn and C into a response 
number Rp (within the smart card), or R'n (within 
the authentication device). Sn and C each comprise 
a 64-bit number which makes them ideally suited 
for the encryption computation shown in FIG. 2. 
Indeed, Sn and C are "shuffled" in accordance with 
the DES enciphering computation described above 
(see FIG. 2), and output box 210 now contains a 
64-bit number designated Rn or These num- 
bers are thereafter compared, and when they are 
identical the smart card is deemed to be authen- 
ticated. Although the DES enciphering computation 



is illustratively shown, it is understood that other 
enciphering computations, having greater or lesser 
complexity, may be used without departing from 
the spirit of the invention. 

5 

CHALLENGE NUMBER GENERATOR 



70 There are many techniques for generating suit- 

able challenge numbers, ideally such numbers are 
long, non-predictable, non-repeating and random. 
One known technique involves periodically sam- 
pling the polarity of a noise source, such as an 

75 avalanche diode, whose average dc output voltage 
is zero. As discussed above, the challenge number 
generator 750 (FIG. 1) may generate a random 
number, a pseudo-random number, or even a pre- 
dictable number - depending on the degree of 

20 security warranted in the given application. One 
challenge number generator is shown in FiG. 11 
which provides a pseudo-random number at its 
serial data output The generator comprises a 64- 
stage shift register whose output is modulo-2 com- 

25 bined (via Exclusive-OR gates 111.112) with var- 
ious of its stages and then fed back to the input of 
the generator. Although the serial data output pat- 
tern is very long (potentially generating all possible 
combinations of 64 bits), it eventually repeats itself. 

30 Nevertheless, by accelerating the clock rate at 
times when a challenge number is not needed, it 
would be most difficult to predict which particular 
combination of 64 bits was coming next. 

The randomness of the challenge number is 

35 further improved by using the DES enciphering 
computation shown in FIG. 2. Here, the Parallel 
Data Output (Xo. ... Xgg) of the pseudo-random 
number generator shown in FIG, 11 is used as 
input 201 in FIG. 2, while one character of the 

40 secret master string is used in obtaining the var- 
ious values for K. Recall that values for Ki,.. Kig 
are selected in accordance with 16 different pre- 
determined schedules whereby each Kn comprises 
an ordered set of 48-bits chosen from a 64-bit key. 

45 Since the software needed to implement DES, or 
the particular encryption algorithm used, is already 
in place in both the smart card and in the authen- 
tication device, it is cost effective to use it in 
connection with the generation of a challenge num- 

50 ber. indeed, if DES is used in forming the chal- 
lenge number, it would be sufficient to increment a 
register each time a new challenge number is 
needed, and then use that number, rather than 
Xo,... Xg3, as input 201 in FIG. 2. 

55 

SMART CARD 
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Referring now to FIG. 5 there is disclosed a 
block diagram of a smart card 500 and a 
reader/writer unit 900 such as used in connection 
with the present invention. Although shown in 
greater detail in U.S. Patent 4,798,322. a brief 5 
description is presented here. Some of the princi- 
pal components located on smart card 500 are 
microprocessor 560, electrically erasable program- 
mable read-only memory (EEPROM) 550. analog 
interface circuit 540. secondary winding 521 of io 
transformer 920, and capacitive plates 541-544. 

Microprocessor 560 includes a central process- 
ing unit and memory means in the form of random 
access memory and read-only memory. A micro- 
processor available from Intel Corporation such as is 
Part No. 80C51 may be used with the proper 
programming. Operating under firmware control 
provided by its internal read-only memory, the 
microprocessor 560 formats data to the EEPROM 
550 and to the reader/writer unit 900 via the analog 20 
interface circuit 540. EEPROMS are available from 
a number of suppliers, many of whom are men- 
tioned in an article entitled "Are EEPROMS Finally 
Ready to Take Off" by J. Robert Lineback, Elec- 
tronics. Vol 59, No. 7. (Feb 17,1986), pp. 40-41. 25 
Data may be written to or used from an EEPROM 
repeatedly while operating power is being applied. 
When operating power is removed, any changes 
made to the data in the EEPROM remain and are 
retrievable whenever the smart card 500 is again 30 
powered. 

The analog interface circuit 540 provides a 
means for interfacing smart card 500 with 
reader/writer unit 900. Within analog interface 540 
are circuits responsive to capacitors 541-544, for 35 
exchanging data with reader/writer unit 900. Power 
for operating the card 500 is provided to the analog 
interface circuit 540 via Inductive transfer, received 
by the secondary winding 521 of transformer 920. 
This transformer is formed when secondary wind- 40 
ing 521 is coupled to a primary winding 921 within 
the reader/writer unit 900. The transformer 920 
may advantageously include a ferrite core 922 in 
the reader/writer for increased coupling between 
the transformer primary winding 921 and secon- 45 
dary winding 521. A second such core 522 may 
also be included in the transformer 920 to further 
Increase coupling efficiency. The primary winding 
921 is driven at a 1.8432 MHz rate by power 
supply 930 whose operation Is described with par- so 
ticularlty in U.S. Patent 4,802,080 issued January 
31,1989. 

Within the reader/writer unit 900, analog inter- 
face circuit 940 exchanges data with the smart card 
500 under control of microprocessor 960. Capacitor 55 
plates 941-944 are aligned with the mating capaci- 
tor plates 541-544 within the smart card 500. The 
input/output serial data interface 950 is basically a 



universal asynchronous receiver transmitter (DART) 
which may be advantageously included In the 
microprocessor 960. This UART is used for exter- 
nally communicating with a suitably configured ap- 
plication station 990, 

Application station 990 represents any one of a 
variety of stations, terminals or machines capable 
of interacting with the reader/writer unit 900 for the 
purpose of selectively granting access to the re- 
sources which it controls such as cash, premises 
access, information in a computer, credit authoriza- 
tion for a telephone call or the purchase of goods, 
etc. Stored within the application station is the 
computational power to carry out the authentication 
procedure disclosed in FIG. 1. Reader/writer unit 
900 may itself be part of the application station 990 
and its microprocessor 960, when provided with 
sufficient memory, is suited to carry out the au- 
thentication procedure. Also stored within the ap- 
plication station is the appropriate hardware to 
open a lock or remit cash. Such hardware is well 
known by those in the particular art to which the 
application station pertains. A discussion of certain 
of these applications follows. 



APPLICATIONS 



Computer Access Security System 

FIG. 6 discloses one application of the present 
invention in a computer access security system. In 
this system, terminal stations 101 and 102 provide 
access to host computer 600 so long as the user 
can be authenticated. In one situation, the user 
inserts his smart card 501 into a terminal security 
server (TSS) 610 for the purpose of verifying that 
he is entitled to access host computer 600. 
Modems 641 and 643 are frequently needed to 
adapt digital signals to transmission over public 
switched network 650, At the host location, host 
security server (HSS)63Q, together with host smart 
card 503, grants access only to authorized users. 
In this application, TSS 610 includes a reader/writer 
unit 900 such as shown in FIG. 5, that interacts 
with smart card 501 to exchange electrical signals 
between the smart card and a particular application 
station. The user transmits his password to smart 
card 501 via terminal station 101 which commen- 
ces the authentication process with HSS 630 and 
host smart card 503. Security is improved by stor- 
ing the authentication algorithms and master 
strings within smart card 503 rather than in the host 
computer. Whereas a super-user might be able to 
access secret codes stored within the host com- 
puter 600, the host smart card is configured to only 
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grant or deny access; secret information within the 
card 503 is not available to anyone after it has 
been entered. Since individual user ID numbers do 
not have to be stored in the present invention, it is 
possible to handle the authentication of vast num- 
bers of users with minimal storage so that smart 
cards using EEPROMS of moderate size, say 2048 
bytes, are adequate for the task. The authentication 
process performed in this application is the same 
as discussed above using DES or another suitable 
enciphering computation. 

Variations of this system include the situation 
where the TSS 610 is replaced by a portable 
security server (PSS) 620. Here, the user types his 
identification number (lD)n into terminal station 102. 
(!D)n is then transmitted to HSS 630 which includes 
host smart card 503. HSS 630 returns a challenge 
number which is displayed on terminal station 102. 
The user then enters this challenge number into 
PSS 620 using keys 622. Contained within PSS 
620 is smart card 502 which stores secret code Sn 
and encryption algorithm E2. It computes a re- 
sponse R„ to the challenge number and displays it 
on liquid crystal display 621. Thereafter, the user 
enters Rn into terminal station 102 and awaits ac- 
cess to host computer 600. Clearly, each terminal 
station 101,102 could contain the equipment pres- 
ently housed within TSS 610 or PSS 620. 



Premises Access Security System 

An Important application of the present inven- 
tion is in connection with the replacement of con- 
ventional door locks and mechanical keys where 
high security is important. Smart cards are useful 
in this application because they can be selectively 
revoked and adapted for use only during predeter- 
mined hours. Further, they can be programmed to 
commence or expire on certain dates. The present 
invention is particularly advantageous in such a 
distributed system because the identity of each 
newly authorized user does not have to be commu- 
nicated to each lock, although information regard- 
ing users no longer having authorization must be 
so communicated. The security of microwave 
"huts," which control vital junction points in the 
national telecommunication network, is of critical 
importance. Such locations warrant greater protec- 
tion than easily duplicated mechanical keys can 
offer. 

An example of a premises access security 
system is shown in FIG. 7 which illustrates another 
application of the present invention. Door 830 pro- 
vides entry to a secure location such as a room or 
a building. Outside handle 850 does not normally 
operate the lock, but is provided merely for conve- 
niently pushing or pulling on the door once the lock 



is open. A bolt assembly is driven by an inside 
handle (not shown) and includes a protrusion 840 
which engages a strike 995 positioned in the door 
jamb. In the embodiment of FIG. 7, the strike itself 

5 is activated to permit the opening and closing of 
the door. Alternatively, the bolt within the door 
could have been controlled in accordance v/ith the 
invention. Lock 800 is positioned adjacent the door 
jamb on wall 820 and includes a slot 810 for 

10 inserting an electronic key. 

Referring now to FIG. 8, additional detail is 
provided regarding the hardware needed to support 
this particular application. In order to obtain access, 
the user first inserts his key 500 (smart card) into 

75 slot 810 (see FIG. 7) of lock 800. Once the key 500 
is in contact with reader/writer unit 900, as dis- 
cussed in connection with FIG. 5, authentication 
can begin. The user enters his password using the 
switches 120 on user interface 100 which is trans- 

20 ferred to key 500 via reader/writer unit 900. If the 
entered password matches the password stored in 
memory 550 of key 500, then the key transmits its 
identification number (ID)^ to application station 
990, and more particularly to authentication device 

25 700 which carries out the authentication procedure 
discussed in connection with FIG. 1. In the event 
that the key is authenticated, processor 760 deliv- 
ers a pulse to relay driver 770 which activates relay 
780 thereby closing contact K1. Power is now 

30 applied to electric strike 995 which enables the 
door to be pulled open. A suitable transducer for 
carrying out this function is the Model 712 Electric 
Strike, manufactured by Folger Adam Co. that re- 
quires 12 volts DC at 0.3 amperes, information 

35 regarding door entry may be delivered to the user 
on display 110 of the user interface 100. Such 
information might include prompts for using the 
system, a message that the key has expired or that 
the password should be re-entered. Processor 760 

40 includes memory for storing encryption algorithms 
El and E2 as well as a list of lost/stolen keys and 
those ID numbers that have been granted access 
to the facility over some time period. Such informa- 
tion can be delivered to, and displayed on, user 

45 interface 100 when properiy commanded. 



Multiple Secret Codes 

50 In accordance with the present invention, the 

smart card may be used in connection with a 
plurality of authentication devices in which each 
device grants access to different user population. 
This is made possible by storing a plurality of 

55 secret codes within each smart card - very much 
like having a number of different keys on a single 
key ring. Knowing which secret code to use is 
communicated to the smart card when the chal- 
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lenge is delivered. Recall that challenge C com- 
prises a 64-bit (8 byte) random number in the 
preferred embodiment. An additional byte (header) 
is added to the challenge, as shown in RG. 10. that 
selects one of the secret codes Sn stored within the 
memory of the smart card. Here, the header cor- 
responds to the address of the particular secret 
code to be used in providing the correct response 
to the challenge. An 8-bit header accommodates 
256 different secret codes, many of which may be 
used to enhance the security of a single authen- 
tication device. Perhaps 2 or 3 different challenges 
might be issued in an extremely high security 
application. In situations where 64-bits of random 
data are not necessary, various bit positions of the 
challenge number can be dedicated to identifying 
the particular secret code to be used. 



Peer-tchPeer Authentication 

In a number of situations, it is desirable for 
authentication to proceed between two members of 
a population who desire to exchange secret inior- 
mation after the identity of each member is verified 
to the satisfaction of the other. The present inven- 
tion is useful in this regard because it does not 
require storage of the identification numbers of all 
members of the population. However, each of the 
smart cards must generate a challenge signal, 
store secret code Sn as well as encryption al- 
gorithms El and Eg, and compare response num- 
bers with Rn with R'n- Authentication proceeds in a 
manner similar to the procedure of FIG. 1. except 
that the combined functions of smart card 500 and 
authentication device 700 are now contained within 
a single, more powerful smart card. After the first 
smart card authenticates itself to the second, the 
second smart card authenticates itself to the first. 
This assures the first user that he has reached the 
correct destination, and it assures the second user 
that the person seeking access is entitled to it. 
Since each smart card now carries the secret mas- 
ter string, security is potentially weakened. How- 
ever, the master string is not retrievable from mem- 
ory and cannot be determined by trial and error 
within a reasonable time. 

Modifications and variations of the present in- 
vention are possible and include, but are not limit- 
ed to, the following: (i) smart cards are portable 
devices that may assume any convenient shape; 
(ii) smart cards may include metallic contacts al- 
though the disclosed contactless interface offers 
great resistance to external contaminants and elec- 
trical discharge; (iii) challenge numbers need not 
be random or even secret, although some degrada- 
tion to security is inevitable; and (iv) encryption 
algorithms Ei and E2 may be less complex than 



DES and may even be implemented in hardware 
comprising no more than an Exclusive-OR gate. 



5 Claims 

1. A system for controlling access to a secure 
facility, the system including a portable object 
(500) and means for transferring data between the 
70 portable object and the facility, 
the facility comprising: 

memory means for storing encryption algorithms 
El and E2; 

means (750) for generating a challenge number 
75 (G); 

means responsive to an identification signal (ID)- 
subn that identifies the particular portable object 
(500) seeking to gain access to the facility, and to 
encryption algorithm Ei for generating a secret 

20 code (Sn); 

means (720) responsive to the challenge number 
(C). to the secret code (Sn) and to encryption 
algorithm E2 for generating a first response signal 
(R'n); means (760) for comparing the first response 

25 signal (R'n) with a second response signal (Rn) 
generated by the portable object, and for providing 
an enabling signal when the comparison is favor- 
able; 

the portable object (500) comprising: 

30 memory means (550) for storing the secret code 
(Sn)and the encryption algorithm E2; and 
means (563) responsive to the secret code (Sn), to 
the challenge number (C) received from the facility, 
and to encryption algorithm E2 for generating a 

35 second response signal (Rn) and transmitting same 
to the facility. 

2- The system of claim 1 wherein the facility further 
includes: 

means for storing a list of identification numbers 
40 not entitled to access the secure facility; and 

means (770) for determining correspondence be- 
tween the stored list of identification numbers and 
the identification signal that identifies the particular 
portable object seeking access to the facility, and 
45 for denying access to the facility when such cor- 
respondence exists. 

3. The system of claim 1 wherein the means (710) 
for generating the secret code (Sn) comprises a 
first processor, jointly responsive to the identifica- 

50 tion signal and to a secret master string, for ex- 
ecuting a predetermined sequence of steps in ac- 
cordance with encryption algorithm Ei. 

4. The system of claim 1 wherein the means (720) 
for generating the first response signal comprises a 

55 first processor, jointly responsive to the secret 
code (S„) and to the challenge number (0). for 
executing a predetermined sequence of steps in 
accordance with encryption algorithm E2. 
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5. The system of claim 1 wherein the means (563) 
for generating the second response signal com- 
prises a second processor, responsive to the se- 
cret code and to the challenge number, for execut- 
ing a predetermined sequence of stops in accor- 5 
dance v/lth encryption algorithm Ea. 

6. The system of claim 3 wherein encryption al- 
gorithm El is a process for encrypting data in 
accordance with the Data Encryption Standard. 

7. The system of claim 5 wherein encryption al- io 
gorithm E2 is a process for encrypting data in 
accordance with the Data Encryption Standard. 

8. The system of claim 1 wherein the challenge 
number is substantially random. 

9. A method for testing the authenticity of a porta- 15 
ble electronic device (500) and for enabling access 

to a secure facility when the portable electronic 
device is authentic, the method comprising the 
steps of: 

storing encryption algorithms Ei and E2: 20 
receiving an identification signal (iD)n that identifies 
the particular portable electronic device seeking 
access to the facility; 

generating a secret code (Sn) in accordance with 
encryption algorithm Ei using the identification sig- 25 
nal as an input; 

generating a challenge number (C) and transmitting 
same to the portable electronic device; 
generating a first response signal (R'n) in accor- 
dance with encryption algorithm E2 using the se- 30 
cret code and the challenge number as inputs; 
comparing the first response signal (R'n) with a 
second response signal (Rn) generated by the por- 
table electronic device; and 

enabling access to the secure facility when the 35 
comparison is favorable. 

10. The method of claim 9 further including the 
steps of: 

storing a list of identification numbers not entitled 
to access the facility; and 40 
denying access to the facility when the received 
identification signal corresponds to a Identification 
number stored on the list of those not entitled to 
such access. 
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@ Databaseless security system. 

@ An improved security system, including a porta- 
ble smart card (500) and a host computer (600), 
eliminates the need for the computer to store individ- 
ual personal identification (ID) numbers for each user 
seeking access to the computer. Instead, the com- 
puter stores a first encryption algorithm Ei used in 
converting a particular identification number (ID)n 
into a secret code Sn for that particular user. Sn also 
exists within the memory of the smart card having 
been loaded into its memory at the time of issue. A 
challenge number C is generated by the computer 
and transmitted to the smart card. Within the smart 
card and the computer, microprocessors respond to 
the challenge number 0, the secret code Sn, and a 
second encryption algorithm E2 in order to generate 
response numbers Rn and R'n respectively. There- 
after, Rn is transmitted to the computer where it is 
compared with R'n- A favorable comparison is nec- 
essary for gaining access to the computer. 



FIG. 1 




Xerox Copy Centre 



300CID: <EP 0427465A3_L> 



J 



Patent Office 



EUROPEAN SEARCH 
REPORT 



Application Number 
EP 90 31 2005 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document witri Indtcation, where appropriate, 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION <tnt. CI.5) 



EP-A-0 029 894 (IBM) 

* abstract; claim 1 * 

EP-A-0 131 421 (AMERICAN TELEPHONE AND TELE- 
GRAPH COMPANY) 

* abstract * 

EP-A-0 281 059 (SIEMENS) 

* abstract * 

US-A-4 310 720 (CHECK) 

* abstract * 

EP-A-0 1 14 773 (CII HONEYWELL BULL) 

* abstract * 

EP-A-0 281 058 (SIEMENS) 

* abstract * 

EP-A-0 284 133 (TRT) 

* claim 1 * 

US-A-4 453 074 (WEINSTEIN) 

US-A-4 471 216 (HERVE) 

* abstract * 



1.9 



1.9 



1.9 



1.9 



1.9 



1.9 



1.9 



1,9 



The present searcri report has been drawn up for all claims 



Place of search 



The Hague 



Date of completion of search 
30 May 91 



G 

07 F 7/10 
G 07 C 9/00 
G 06 F 1/00 



TECHNICAL FIELDS 
SEARCHED (Int. CI.S) 



Q 07 F 
G 

07 C 
G 06 F 



Examiner 



TACCOEN J-F.P.L 



CATEGORY OF CITED DOCUMENTS 
X : particularly relevant if taken alone 
Y : particularly relevant it combined with anottier 

document of the same catagory 
A: technological background 
O: non-written disclosure 
P : intermediate document 
T : theory or principle underlying the invention 



E : earlier patent document, but published on, or after 

the filing date 
D : document cited in the application 
L : document cited for other reasons 

& : member of the same patent family, corresponding 
document 



>iSDOCID; <EP 0427465A3 I. > 



